Jump to content

Syslog messages empty


Enda

Recommended Posts

I have syslog configured on ESMC and syslog messages are being recorded and forwarded to our SIEM but every now and then it stops working and only sends blank logs such as shown in the screenshot.

Anyone experienced this before?image.thumb.png.c15b6fac3af854ce2ad3ab78d89f1a30.png

Link to post
Share on other sites

We have contacted support and they said they have no experience with syslog. The error seems to be related to how era processes syslog messages. The logs are present in the web console and logs are being forwarded properly to the syslog server but the messages being written to the syslog daemon by era are empty

Link to post
Share on other sites

Turning syslog off and on in the server settings sometimes fixes this but not always. Rebooting stops it working if it is.

Link to post
Share on other sites
  • Administrators

If the local ESET support is unable to provide a solution and further troubleshooting is needed, they should contact ESET HQ. You can provide me with the ticked ID and we will inquire Irish support team about it.

Link to post
Share on other sites
  • ESET Staff

Could you please provide more details of syslog configuration? Asking, because few issues related to delimiters and handling of new line characters were identified in ESMC 7.1, but in all cases empty records were just redundant, e.i. data were not lost, it was just wrongly interpreted due to incorrect encoding.

I would also recommend to capture this with enabled full verbosity trace logging in ESMC, it will be required for analysis, especially in case it will be possible to pair it with empty records in syslog.

Link to post
Share on other sites
  • ESET Staff

Thanks. As JSON is used, most of the issue I mentioned are not relevant, but I would recommend to check whether swticthing to TCP and "Octet counted framing" help. TCP should help for longer messages (exceeding UDP limits) and octet counting should be helpful for parser to identify start end end of each message, especially in case it is the issue you have encountered. Just be aware that both changes has to be supported also by syslog server.

Link to post
Share on other sites
  • 2 weeks later...

I tried switching to TCP but the logs wouldn't forward at all. The syslog application was listening on TCP but as soon as I switched back to UDP it started working again. It's got to the point now where I have to login to ESMC multiple times a day to do the following to fix the issue in advanced server settings:

1. Disable syslog

2. Save

3. Enabled syslog

4. Save

Link to post
Share on other sites

Anybody know if it's possible to do steps 1-4 via a script? If we could do that and schedule it every 15 mins it would save a lot of manual effort to fix this multiple times a day

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...